So I've had this server for a little over a month now, and early on I set SSH up with key login to ensure no-one else can log in. After chatting with a friend about all the brute force attempts one of his servers is on the receiving end of I decided to take a look at the failed login attempts on mine.

cat /var/log/auth.log | grep 'sshd.*Invalid'

I was somewhat surprised to see the number of attempts on even a fairly new server. It doesn't take them long to find servers apparently!

I have of course set up fail2ban which on the default settings, bans them after six failed attempts for one hour. But it seems this lot are pretty persistent. First up, let's harden fail2ban a bit, reduce the number of failed attempts to three and increase the ban time to one day.

sudo vim /etc/fail2ban/jail.local

Scroll down to the section with bantime and maxretry and set as:

# ban time 24 hours
bantime = 86400
maxretry = 3

Scroll down to the ssh section as well and set it to three maximum retries:

[ssh]enabled=trueport=sshfilter=sshdlogpath=/var/log/auth.logmaxtry=3

Then finally restart fail2ban.

sudo service fail2ban restart

Now that that's taken care of, let's take it one further step. We can see there's one IP (115.114.14.195, an Indian IP) that seems to have taken a likening to trying and brute forcing it's way in. Let's just ban him at the kernal firewall instead.

Let's first open up the existing test rules for iptables (if you have any):

That ought to keep him out. Funnily enough my friend had log in attempts from the same IP. Whoever it is they certainly get around.

Obviously moving SSH to a different port would stop some of these casual attempts at finding open SSH services but let's leave SSH where it is for the time being to ensure these changes workout as intended.